CVE-2023-52517 (GCVE-0-2023-52517)

Vulnerability from cvelistv5 – Published: 2024-03-02 21:52 – Updated: 2026-01-05 10:16
VLAI?
Title
spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain
Summary
In the Linux kernel, the following vulnerability has been resolved: spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain Previously the transfer complete IRQ immediately drained to RX FIFO to read any data remaining in FIFO to the RX buffer. This behaviour is correct when dealing with SPI in interrupt mode. However in DMA mode the transfer complete interrupt still fires as soon as all bytes to be transferred have been stored in the FIFO. At that point data in the FIFO still needs to be picked up by the DMA engine. Thus the drain procedure and DMA engine end up racing to read from RX FIFO, corrupting any data read. Additionally the RX buffer pointer is never adjusted according to DMA progress in DMA mode, thus calling the RX FIFO drain procedure in DMA mode is a bug. Fix corruptions in DMA RX mode by draining RX FIFO only in interrupt mode. Also wait for completion of RX DMA when in DMA mode before returning to ensure all data has been copied to the supplied memory buffer.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 345980a3a5e5e1c99fc621e2ce878fb150ad2287 , < bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f (git)
Affected: 345980a3a5e5e1c99fc621e2ce878fb150ad2287 , < 36b29974a7ad2ff604c24ad348f940506c7b1209 (git)
Affected: 345980a3a5e5e1c99fc621e2ce878fb150ad2287 , < 4e149d524678431638ff378ef6025e4e89b71097 (git)
Affected: 345980a3a5e5e1c99fc621e2ce878fb150ad2287 , < 1f11f4202caf5710204d334fe63392052783876d (git)
Create a notification for this product.
    Linux Linux Affected: 5.11
Unaffected: 0 , < 5.11 (semver)
Unaffected: 5.15.134 , ≤ 5.15.* (semver)
Unaffected: 6.1.56 , ≤ 6.1.* (semver)
Unaffected: 6.5.6 , ≤ 6.5.* (semver)
Unaffected: 6.6 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:03:20.853Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52517",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:56:43.553628Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:40.654Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-sun6i.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f",
              "status": "affected",
              "version": "345980a3a5e5e1c99fc621e2ce878fb150ad2287",
              "versionType": "git"
            },
            {
              "lessThan": "36b29974a7ad2ff604c24ad348f940506c7b1209",
              "status": "affected",
              "version": "345980a3a5e5e1c99fc621e2ce878fb150ad2287",
              "versionType": "git"
            },
            {
              "lessThan": "4e149d524678431638ff378ef6025e4e89b71097",
              "status": "affected",
              "version": "345980a3a5e5e1c99fc621e2ce878fb150ad2287",
              "versionType": "git"
            },
            {
              "lessThan": "1f11f4202caf5710204d334fe63392052783876d",
              "status": "affected",
              "version": "345980a3a5e5e1c99fc621e2ce878fb150ad2287",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/spi/spi-sun6i.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.56",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.5.*",
              "status": "unaffected",
              "version": "6.5.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.6",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.134",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.56",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5.6",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain\n\nPreviously the transfer complete IRQ immediately drained to RX FIFO to\nread any data remaining in FIFO to the RX buffer. This behaviour is\ncorrect when dealing with SPI in interrupt mode. However in DMA mode the\ntransfer complete interrupt still fires as soon as all bytes to be\ntransferred have been stored in the FIFO. At that point data in the FIFO\nstill needs to be picked up by the DMA engine. Thus the drain procedure\nand DMA engine end up racing to read from RX FIFO, corrupting any data\nread. Additionally the RX buffer pointer is never adjusted according to\nDMA progress in DMA mode, thus calling the RX FIFO drain procedure in DMA\nmode is a bug.\nFix corruptions in DMA RX mode by draining RX FIFO only in interrupt mode.\nAlso wait for completion of RX DMA when in DMA mode before returning to\nensure all data has been copied to the supplied memory buffer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:16:22.386Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d"
        }
      ],
      "title": "spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52517",
    "datePublished": "2024-03-02T21:52:27.152Z",
    "dateReserved": "2024-02-20T12:30:33.317Z",
    "dateUpdated": "2026-01-05T10:16:22.386Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T23:03:20.853Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-52517\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-10T15:56:43.553628Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T12:42:18.065Z\"}}], \"cna\": {\"title\": \"spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"345980a3a5e5e1c99fc621e2ce878fb150ad2287\", \"lessThan\": \"bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"345980a3a5e5e1c99fc621e2ce878fb150ad2287\", \"lessThan\": \"36b29974a7ad2ff604c24ad348f940506c7b1209\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"345980a3a5e5e1c99fc621e2ce878fb150ad2287\", \"lessThan\": \"4e149d524678431638ff378ef6025e4e89b71097\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"345980a3a5e5e1c99fc621e2ce878fb150ad2287\", \"lessThan\": \"1f11f4202caf5710204d334fe63392052783876d\", \"versionType\": \"git\"}], \"programFiles\": [\"drivers/spi/spi-sun6i.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.11\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"5.11\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"5.15.134\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"6.1.56\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.1.*\"}, {\"status\": \"unaffected\", \"version\": \"6.5.6\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.5.*\"}, {\"status\": \"unaffected\", \"version\": \"6.6\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"drivers/spi/spi-sun6i.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/bd1ec7f9983b5cd3c77e0f7cda3fa8aed041af2f\"}, {\"url\": \"https://git.kernel.org/stable/c/36b29974a7ad2ff604c24ad348f940506c7b1209\"}, {\"url\": \"https://git.kernel.org/stable/c/4e149d524678431638ff378ef6025e4e89b71097\"}, {\"url\": \"https://git.kernel.org/stable/c/1f11f4202caf5710204d334fe63392052783876d\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nspi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain\\n\\nPreviously the transfer complete IRQ immediately drained to RX FIFO to\\nread any data remaining in FIFO to the RX buffer. This behaviour is\\ncorrect when dealing with SPI in interrupt mode. However in DMA mode the\\ntransfer complete interrupt still fires as soon as all bytes to be\\ntransferred have been stored in the FIFO. At that point data in the FIFO\\nstill needs to be picked up by the DMA engine. Thus the drain procedure\\nand DMA engine end up racing to read from RX FIFO, corrupting any data\\nread. Additionally the RX buffer pointer is never adjusted according to\\nDMA progress in DMA mode, thus calling the RX FIFO drain procedure in DMA\\nmode is a bug.\\nFix corruptions in DMA RX mode by draining RX FIFO only in interrupt mode.\\nAlso wait for completion of RX DMA when in DMA mode before returning to\\nensure all data has been copied to the supplied memory buffer.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.134\", \"versionStartIncluding\": \"5.11\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.1.56\", \"versionStartIncluding\": \"5.11\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.5.6\", \"versionStartIncluding\": \"5.11\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6\", \"versionStartIncluding\": \"5.11\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2026-01-05T10:16:22.386Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-52517\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-05T10:16:22.386Z\", \"dateReserved\": \"2024-02-20T12:30:33.317Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-03-02T21:52:27.152Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.